FR3095879A1 - DESIGN PROCESS OF A SIGNATURE GENERATOR OF AN ENTITY PERFORMING ACTIONS IN A COMPUTER ARCHITECTURE, ABNORMAL BEHAVIOR DETECTION PROCESS, COMPUTER PROGRAM AND CORRESPONDING SYSTEM - Google Patents

Abstract

This method comprises: obtaining a trainable machine (202) comprising at least: an upstream neural network (204A) intended to provide a signature (SG) of an entity (E) from a set of statistical characteristics (V) of dated actions of this entity (E) in an IT infrastructure (100), and a classifier (204B) intended to provide an entity prediction (E *) from the signature (SG) provided by the upstream neural network (204A); - obtaining training data comprising sets of statistical characteristics (V) of dated actions, each associated with an entity (E) having carried out these actions in the IT infrastructure; and - supervised training of the trainable machine (202) from the training data so that the trainable machine (202) correctly predicts the entities (E) associated with the sets of statistical characteristics (V) of the training data . According to the invention, the supervised training is further carried out so that the trainable machine (202) groups the signatures (SG) of each of the entities (E) associated with the sets of statistical characteristics (V) of the training data around of a center associated with this entity (E), and the method further comprises providing the signature generator (204A) comprising the neural network (204A) after training. Figure for the abstract: Fig. 2

Description

METHOD FOR DESIGNING A SIGNATURE GENERATOR OF AN ENTITY PERFORMING ACTIONS IN A COMPUTER ARCHITECTURE, METHOD FOR DETECTING ABNORMAL BEHAVIOR, CORRESPONDING COMPUTER PROGRAM AND SYSTEM

The present invention relates to a method for designing a signature generator of an entity performing actions in a computer architecture, a method for detecting abnormal behavior, a computer program and a corresponding system.

The invention applies more particularly to a method for designing a signature generator intended to provide a signature of an entity from a set of statistical characteristics of dated actions of this entity in a computer infrastructure, the process comprising:

- obtaining a drivable machine comprising at least:

-- an upstream neural network intended to provide a signature of an entity from a set of statistical characteristics of dated actions of this entity in a computing infrastructure, and

-- a classifier intended to provide an entity prediction from the signature provided by the upstream neural network;

- obtaining training data comprising sets of dated statistical characteristics of actions, each associated with an entity having carried out these actions in the IT infrastructure; And

- supervised training of the trainable machine from the training data such that the trainable machine correctly predicts the entities associated with the statistical feature sets of the training data.

The article by Tuor et al. titled "Predicting User Roles from Computer Logs Using Recurrent Neural Networks" and published in "Proceedings of the Thirty-First AAAI Conference on Artificial Intelligence (AAAI-17)", describes a method for designing an entity role predictor for providing a prediction of the role of an entity from a set of statistical characteristics of dated actions of this entity in a computing infrastructure, the method comprising:

- obtaining a drivable machine;

- obtaining training data comprising sets of statistical characteristics of dated actions of entities in the IT infrastructure, each set of statistical characteristics being associated with a role of the entity; And

- supervised training of the trainable machine from the training data such that the trainable machine correctly predicts the roles associated with the feature sets of the training data.

Being able to predict the role of an entity makes it possible to characterize the usual behavior of the latter. However, this characterization is very vague. Indeed, several entities can have the same role. Moreover, even if a very large number of roles is planned, this number will always remain very low compared to all the behavioral possibilities. Thus, knowledge of the role of an entity does not make it possible to precisely define the usual behavior of a unit, in particular to determine when the behavior of the entity deviates significantly from this usual behavior. In other words, role classification is too weak a constraint for characterizing behaviors. In particular, it is impossible to discriminate between behaviors associated with the same role. However, the detection of such a deviation can make it possible to detect the presence of a threat in the computer architecture, such as the presence of malicious software or reprehensible behavior of a user, such as industrial espionage. .

It may thus be desirable to provide a characterization of the behavior of an entity which makes it possible to overcome at least some of the aforementioned problems and constraints.

The subject of the invention is therefore a method for designing a signature generator intended to provide a signature of an entity from a set of statistical characteristics of dated actions of this entity in a computer infrastructure, the method comprising :

- obtaining a drivable machine comprising at least:

-- an upstream neural network intended to provide a signature of an entity from a set of statistical characteristics of dated actions of this entity in a computing infrastructure, and

-- a classifier intended to provide an entity prediction from the signature provided by the upstream neural network;

- obtaining training data comprising sets of dated statistical characteristics of actions, each associated with an entity having carried out these actions in the IT infrastructure; And

- supervised training of the trainable machine from the training data such that the trainable machine correctly predicts the entities associated with the sets of statistical characteristics of the training data;

the method being characterized in that the supervised training is also carried out so that the trainable machine groups the signatures of each of the entities associated with the sets of statistical characteristics of the training data around a center associated with this entity,

and in that it further comprises:

- the supply of the signature generator comprising the upstream neural network after training.

Thus, thanks to the invention, the signature generator is able to generate a signature characterizing very finely the behavior of the entity, which makes it possible to detect even a slight behavioral deviation. In addition, the signatures of the different entities are sufficiently spaced from each other, thanks to the training on the grouping of the signatures, to minimize the risk of confusing a signature of an entity having an unusual behavior with a signature associated with the usual behavior. of another entity, and therefore not to detect the unusual behavior of the first entity.

Optionally, the center is a barycenter, for example an isobarycenter, of the signatures of the entity with which this center is associated.

Also optionally, the supervised training uses a total loss function using a first loss function associated with entity prediction and a second loss function associated with signature clustering.

Also optionally, the total loss function uses a linear combination of the first and second loss functions.

Also optionally, the linear combination has a coefficient for at least one of the first and second loss functions, this coefficient being a hyperparameter, and the method comprises:

- supervised training of the trainable machine from training data for several sets of hyperparameters;

- for each set of hyperparameters, the analysis of the signatures obtained to produce a performance evaluation; And

- the selection of hyperparameters giving the best performance evaluation.

Also optionally, the trainable machine comprises a global neural network comprising N layers of neurons, the upstream neural network comprising the N−k first layers and the classifier comprising the k last layers, k being greater than or equal to one.

Also optionally, the supervised training is additionally carried out so that the trainable machine performs one or more other tasks.

There is also proposed a method for detecting abnormal behavior of an entity comprising:

- the supply of at least one set of statistical characteristics of dated actions of the entity in a computer infrastructure to a signature generator designed according to a method according to the invention;

- the provision by the signature generator of a signature of the entity for each set of statistical characteristics;

- the comparison of a datum from the signature(s) provided by the signature generator with at least one reference datum; And

- the detection of normal or abnormal behavior of the entity from the comparison.

There is also proposed a computer program downloadable from a communication network and/or recorded on a computer-readable medium and/or executable by a processor, characterized in that it comprises instructions for the execution of the steps of a method according to the invention, when said program is executed on a computer.

There is also proposed a system for designing a signature generator intended to provide a signature of an entity from a set of statistical characteristics of dated actions of this entity in a computer infrastructure, comprising:

- a drivable machine comprising at least:

-- an upstream neural network intended to provide a signature of an entity from a set of statistical characteristics of dated actions of this entity in a computing infrastructure, and

-- a classifier intended to provide an entity prediction from the signature provided by the upstream neural network;

- a training device designed to train the trainable machine in a supervised manner from training data comprising sets of dated statistical characteristics of actions, each associated with an entity having carried out these actions in the IT infrastructure, so that the trainable machine correctly predicts the entities associated with the statistical feature sets of the training data;

the system being characterized in that the training device is further adapted to drive the trainable machine such that the trainable machine gathers the signatures of each of the entities associated with the sets of statistical characteristics of the training data around a center associated with this entity, and in that the signature generator includes the upstream neural network after training

The invention will be better understood with the aid of the following description, given solely by way of example and made with reference to the appended drawings in which:

FIG. 1 schematically represents the general structure of a computer infrastructure, monitoring means and means for extracting statistical characteristics, according to one embodiment of the invention,

FIG. 2 schematically represents the general structure of a system for designing an entity signature generator, according to one embodiment of the invention,

FIG. 3 illustrates the successive steps of a method for designing an entity signature generator, according to one embodiment of the invention,

FIG. 4 schematically represents the general structure of a system for detecting abnormal behavior of an entity, according to one embodiment of the invention, and

FIG. 5 illustrates the successive steps of a method for detecting abnormal behavior of an entity, according to one embodiment of the invention.

FIG. 1 illustrates a computer infrastructure 100 that can include, for example, a large number of computers linked together in a network.

Entities (five in the example described, bearing the references E1, E2, E3, E4, E5 respectively) use this IT infrastructure 100. Each entity can be an internal element of the IT infrastructure 100 (case of entities E1, E3 , E5), for example a computer program or else a computer of the IT infrastructure 100, or else an external element of the IT infrastructure 100 (case of the entities E2, E4), for example a user (human) or indeed a computing device connected to the computing infrastructure 100. Thus, each entity E1, E2, E3, E4, E5 carries out, over time, different actions in the computing infrastructure 100, these actions being represented in FIG. 1 by arrows.

Furthermore, in the example described, each entity E1, E2, E3, E4, E5 is associated with a group. Each group therefore comprises one or more of the entities E1, E2, E3, E4, E5. For example, a first group includes the entities E1 and E2, while a second group includes the entities E3, E4, E5.

To monitor the actions of the entities E1, E2, E3, E4, E5, monitoring means 102 are provided. The monitoring means 102 are designed to monitor the entities E1, E2, E3, E4, E5 and to provide a history H of actions that they perform in the IT infrastructure 100 during a monitoring interval of duration W ₀ . The history H associates each action with the entity that performed this action and with the date (in the sense of date and time) of this action. An example of H history is shown in the following table.

Stock Entity Date Action A1 E3 Day 1 (Monday), 8:56 a.m. Action A1 E3 Day 1 (Monday), 9:37 a.m. Action A2 E1 Day 1 (Monday), 3:13 p.m. Action A1 E3 Day 2 (Tuesday), 10:23 a.m. Action A2 E3 Day 2 (Tuesday), 12:01 p.m. Action A3 E2 Day 2 (Tuesday), 6:22 p.m. Action A2 E2 Day 2, (Tuesday), 11:06 p.m. Action A1 E1 Day 3 (Wednesday), 11:00 a.m. Action A3 E2 Day 3, (Wednesday), 11:04 a.m. Action A1 E3 Day 4 (Thursday), 9:07 a.m. Action A2 E3 Day 4 (Thursday), 12:57 p.m. Action A3 E1 Day 4 (Thursday), 1:04 p.m. Action A2 E3 Day 4 (Thursday), 5:38 p.m. … … …

The H history can additionally indicate other information for certain actions. For example, an action can correspond to the sending of an email and be associated, in addition to the date of sending (corresponding to the date of the action), with the subject of the email, the recipient(s), the sender, the number of attachments and their names.

Means 104 for extracting statistical characteristics are also provided. The extraction means 104 are designed, for each entity E1, E2, E3, E4, E5 and for each of a plurality of time intervals, called extraction intervals, contained in the monitoring interval, to calculate a predefined number of statistical characteristics of actions of this entity listed in the history H and having occurred during the extraction interval considered. Thus, the extraction means 104 supply, for each entity E1, E2, E3, E4, E5, as many sets of statistical characteristics as there are extraction intervals.

The statistical characteristics are for example calculated from respective predefined calculation rules.

In FIG. 1, the reference V represents a set of statistical characteristics provided by the extraction means 104.

Each set of statistical characteristics is for example in the form of a vector whose components are respectively formed by the statistical characteristics.

Preferably, the extraction intervals do not overlap, are adjacent, have the same duration W and are the same for all the entities E1, E2, E3, E4, E5. In the example described, the duration W ₀ of the monitoring interval is equal to twelve days, subsequently numbered from 1 to 12, and the duration W of the extraction intervals is equal to one day. Thus, in the example described, the extraction means 104 supply, for each of the entities E1, E2, E3, E4, E5, twelve sets of statistical characteristics, corresponding respectively to the twelve days of the monitoring interval.

In the following, the set of feature sets of a feature from consecutive extraction intervals will be called a sequence of statistical feature sets. Thus, in the example described, the extraction means 104 supply, for each of the entities E1, E2, E3, E4, E5, a sequence of twelve sets of statistical characteristics.

A statistical characteristic is for example: the average number of occurrences of an action per unit of time ; the date of the first activity (useful for example to identify a change in punctuality); aggregation in the form of counts, mean values or other higher-order statistical moments providing relevant information on the underlying distribution (variance, Kurtosis, Skewness, etc.). In some cases, a statistical characteristic can be derived from the distance between the distribution over the past of the variable and the new distribution (quantified via measures of similarity between distributions such as the Kullback-Leibler divergence for example). Other statistical characteristics can be derived from the covariance between two activity variables over a time interval (thus allowing access to finer statistical information that could not have been captured by statistical information on each of the variables independently).

Figure 2 illustrates a system 200 for designing a signature generator.

The design system 200 first comprises a trainable machine 202 having hyperparameters, as well as parameters intended to be determined by learning once a set of hyperparameters has been chosen. The trainable machine 202 includes at least one upstream neural network 204A and one downstream classifier 204B.

The upstream neural network 204A is intended to provide a signature SG of an entity E from a set of statistical characteristics (such as the sets of characteristics provided by the extraction means 104) of dated actions of this entity . For the training of the trainable machine 202, the set of statistical characteristics V is associated with the entity E having carried out these actions, this entity E being itself associated, in the example described, with a group G.

The downstream classifier 204B is intended to provide an entity prediction E* from the signature SG provided by the upstream neural network 204A.

For example, the trainable machine 202 comprises a neural network 204, for example a deep neural network, comprising N layers of neurons. The upstream neural network 204A then comprises the first N-k layers and the downstream classifier 204B comprises the last k layers, k being an integer greater than or equal to one. k is for example one.

By "neural network" is meant a complex structure formed of a plurality of layers, each layer comprising a plurality of artificial neurons. An artificial neuron is an elementary processor, which calculates a single output based on the information it receives. Each neuron of a layer is connected to at least one neuron of a neighboring layer via an artificial synapse to which is assigned a synaptic coefficient or weight, updated during training of the neural network. It is during this training step that the weight of each artificial synapse will be determined from training data.

The neural network 204 is for example a recurrent neural network with short and long term memory (or LSTM, from the English “Long Short Term Memory”) or else a multi-layer perceptron neural network (or MLP, from the English "Multi Layer Perceptron"). A hyperparameter can be used to select the structure of the neural network 204, for example the number of layers of neurons in the neural network.

The last layer of the upstream neural network 204A (i.e. the N-kth layer of the neural network 204) has S neurons, so the signature SG is composed of the outputs of these S neurons. Thus, the signature SG comprises S logits. A “Logit” is the result of the activation of a neuron, in this case of the N-kth layer.

The trainable machine 202 is intended to be trained in a supervised manner to carry out several tasks simultaneously (technique known as “multi-task learning”). These tasks include at least the following two tasks, called main tasks.

The first main task is to correctly predict the entity associated with the set of statistical features V provided as input. This entity prediction is denoted E*. This first main task will be called hereafter “entity prediction task”.

The second main task is to group, in the space of signature components, the signatures of the same entity around a center associated with this entity. This center is for example a barycenter, such as the isobarycenter, of the signatures of the entity. This second main task will be called hereinafter “signature grouping task”.

The tasks carried out by the trainable machine 202 can also comprise N other tasks, called “business tasks”, relating to an aspect relevant to the business. For each of these business tasks, the trainable machine 202 can include one or more additional elements providing data on which the training is performed, from data provided by the upstream neural network 204A (for example one of the layers, for example the one giving the signature SG).

Business tasks can consist of predicting categorical or numerical variables. An example of a categorical business task can be the classification of a 'Web' variable relating to a connection activity which can take the following values: 1. None, 2. Occasional, 3. Frequent. An example of a digital business task can be the prediction of the daily connection frequency to machines.

In the example described, a single business task is used. This business task is to correctly predict the group G to which the entity whose signature S is provided by the upstream neural network 204A belongs. This group prediction is denoted G*. Thus, the trainable machine 202 further comprises a group predictor element 206 designed to provide, from the signature SG, a prediction G* of the group to which the entity associated with the set of statistical characteristics V provided as input belongs. This business task will be called hereafter “group prediction task”.

The element 206 comprises for example a neural network intended to be trained at the same time as the neural network 204.

Thus, in total, the trainable machine 202 is intended to be driven in a supervised manner to perform N+2 tasks simultaneously (N integer greater than or equal to 0).

To achieve this training, a training device 207 is planned.

This training device 207 comprises, for each task, a module designed to calculate a loss function, called specific loss function, associated with this task.

Thus, the training device 207 first of all comprises a first module 208 for calculating a specific loss function L _ID associated with the entity prediction task. The specific loss function L _ID is for example representative of a distance between the identifiers ID and the predictions ID*, for example between the distributions of the true identifiers and of the predicted identifiers. In the example described, the specific loss function L _ID is the so-called “cross-entropy” loss function.

The training device 207 further includes a second module 210 for calculating a specific loss function L _C associated with the signature grouping task. For example, the specific loss function L _C uses, for each entity, a distance (in the space of the S components of the signatures SG) between the signatures of this entity and a center associated with this entity, such as the isobarycentre of these signatures. Thus, the specific loss function L _C is representative of these distances. In the example described, the specific loss function L _C is the so-called “center loss” loss function described in the article by Wen, Y., Zhang, K., Li , Z., Qiao, Y., entitled “A discriminative feature learning approach for deep face recognition. and published in Computer Vision - ECCV 2016 - 14th European Conference, Amsterdam, The Netherlands, October 11-14, 2016, Proceedings, Part VII. (2016) 499–515.

The training device 207 further comprises a third module 212 for calculating a specific loss function L_Gassociated with the group prediction task. The specific loss function L_Gis representative of a distance between the group predictions G* and the groups G, for example between the distributions of the true groups and the predicted groups. In general, for business tasks, the “cross-entropy” loss function is for example used for each business task whose values are categorical, while the so-called “mean squared error” loss function (“mean squared error” in English) is for example used for business tasks whose values are numeric. In the example described, the business task is group prediction, which is therefore a business task whose values are categorical, so the “cross-entropy” loss function is chosen for the specific loss function L_G.

In addition, the training device 207 comprises a fourth module 214 for calculating a total loss function L _{total e} from the specific loss functions L _ID , L _C , and L _G . In the example described, the total loss function L _total comprises a linear combination of the specific loss functions. The total loss function L _total is for example given by: L _total = L _ID + αL _C + λL _G + γL _REG , where the coefficients α, λ and γ are hyperparameters and where L _REG is a loss term added for regularize the pattern during training. L _REG is a term depending only on the parameters of the model and constraining the model to remain in a certain space of solutions. An example of a regularization term is the L2 norm (called “weight decay” in the literature) on the parameters of the layers of the neural network pushing all the weights towards 0 when this regularization term is minimized via the minimization of the loss function total L _total .

The drive device 207 further comprises a module 216 for updating parameters of the drivable machine 202 from the total loss function L _{total e} . These parameters comprise in particular the synaptic weights of the neural network or networks (the neural networks 204 and 206 in the example described) of the trainable machine 202.

Referring to Figure 3, a method 300 of designing a signature generator will now be described.

During a step 302, the monitoring means 102 monitor the actions of the entities E1, E2, E3, E4, E5 during a monitoring time interval of duration W ₀ and record their actions in the history H. The duration W ₀ equals, in the example described, twelve days subsequently numbered from one to twelve.

During a step 304, the duration W is chosen. In the example described, the duration W is one day.

During a step 306, training data and first and second validation data are obtained.

For this, from the history H, the extraction means 104 calculate, for each entity E1, E2, E3, E4, E5 and for each extraction interval, a set of statistical characteristics of the actions of this entity E1 , E2, E3, E4, E5 during the extraction interval considered. In the example described, these time intervals have the duration W, i.e. one day.

Thus, for the entity E1, the extraction means 104 calculate a set of statistical characteristics for each of the days 1 to 12. Similar calculations are carried out for the other entities E2, E3, E4, E5, so as to obtain twelve sets of characteristics for each entity E1, E2, E3, E4, E5.

A first portion of successive feature sets of a first portion of the features are selected to form the training data. A second part of successive feature sets of this first part of the entities is selected to form the first validation data. In the example described, the feature sets of entities E1, E2, E3 from days 1 to 9 are selected as training data and the feature sets of entities E1, E2, E3 from days 10 to 12 are selected as first validation data.

Further, successive feature sets of the other entities are selected as second validation data. In the example described, the feature sets of entities E4, E5 from days 1 to 12 are selected as second validation data.

During a step 308, values for the hyperparameters are chosen, for example a structure of the neural network 204 among several predefined ones and values of the coefficients α, λ and γ are chosen.

During a step 309, the drivable machine 202 of FIG. 2 is obtained.

During a step 310, the trainable machine 202 is trained in a supervised manner from the training data to carry out the various planned tasks, namely in the example described: entity prediction, grouping of signatures and , if applicable, the performance of the business task(s).

For this, in the example described, the following steps are carried out. The statistical feature sets of the training data are provided one after another to the trainable machine 202. For each provided statistical feature set V, the upstream neural network 204A generates a signature SG, the downstream classifier 204B provides a prediction entity E* from the signature SG and the module 212 provides a group prediction G* from the signature SG. From the signatures SG, the entity predictions E* and the group predictions G* obtained from the first training data, the modules 208, 210, 212 respectively calculate the loss functions L _ID , L _C , L _G and module 216 calculates the _total loss function L for the training data. The update module 216 then modifies the parameters of the drivable machine 202 according to the _total global loss function L , with the aim of reducing the latter. The previous steps are then repeated, for example until the total loss function L _total no longer evolves much (for example, until the improvement of the total loss function L _total passes below a threshold preset).

Thus, the loss function L _ID guides the training to predict the entity, that is to say to classify the sets of input statistical characteristics between U classes, corresponding to the U entities of the first training data.

The loss function L _C guides the training to group the signatures of the same entity, and thereby reduce the intra-class variation.

During a step 312, the upstream neural network 204A is validated using the first and second validation data.

For this, in the example described, the sets of statistical characteristics of the first and second validation data are used. More specifically, the following steps are carried out. The sets of characteristics of the first and second validation data are supplied one after the other to the upstream neural network 204A which each time generates a signature SG. The signatures obtained are then analyzed to produce a performance evaluation of the upstream neural network 204A.

Steps 310 and 312 can be repeated with other hyperparameters, in particular with other values for the coefficients α, λ and γ. In this case, the hyperparameters giving the best performance evaluation at step 312 are selected.

During a step 314, the upstream neural network 204A is provided as a signature generator (hereinafter designated by the same reference 204A).

With reference to FIG. 4, a system 400 for detecting abnormal behavior of an entity will now be described.

The detection system 400 first of all comprises the IT infrastructure 100, the monitoring means 102 and the extraction means 104. It also comprises the signature generator 204A obtained for example by the method of FIG. 3.

The detection system 400 further comprises means 402 for determining activity data, means 404 for predicting activity data and means 406 for detecting anomaly.

With reference to FIG. 5, a method 500 for detecting abnormal behavior of an entity will now be described.

During a step 502, the monitoring means 102 monitor at least one entity E (one of the entities E1, E2, E3, E4, E5 or else another entity) over a monitoring interval to provide a history H of actions performed by each monitored entity E in the IT infrastructure 100.

During a step 504, the extraction means 104 supply, from the history H, for each monitored entity E, a sequence of K+1 sets of statistical characteristics V ₁ …V _K , V _K+1 , K being an integer greater than or equal to one.

During a step 506, for each monitored entity E, the means 402 determine activity data D from the last set of statistical characteristics V _K+1 of the sequence.

During a step 508, for each monitored entity E, the first K sets of statistical characteristics V ₁ ...V _K of the sequence are supplied to the signature generator 204A (after the training of FIG. 3) which supplies in response as many signatures SG ₁ …SG _K of the monitored entity E.

During a step 510, the prediction means 404 provide a prediction of activity data D* from the signatures SG ₁ ...SG _K . For this, the prediction means 404 comprise a previously trained neural network in a supervised manner to predict the activity data of the last set of statistical characteristics of a sequence of K+1 sets of statistical characteristics, from the first K sets statistical characteristics of this sequence. For training, feature set sequences are used as input to means 402 and to signature generator 204A, the latter remaining unchanged (i.e. not being trained) during training of means 404 Any sequences of feature sets can be used for training (especially those of entities different from those used for training signature generator 204A), with the exception, preferably, of sequences comprising sets of statistical characteristics having been used to train the signature generator 204A.

During a step 512, the anomaly detection means 406 compare the activity data D with a reference datum, their prediction D* in the example described, and detect an anomaly, i.e. say an abnormal behavior, or else an absence of anomaly (i.e. a normal behavior) from the comparison.

It is clear that a signature generator design method such as the one described above makes it possible to obtain a signature generator providing accurate signatures that can be used to detect anomalous (unusual) behavior of an entity.

It will further be appreciated that each of the elements 102, 104, 202, 204A, 204B, 206, 207, 208, 210, 212, 214, 216, 402, 404, 406 previously described can be implemented in hardware, for example by micro-programmed or micro-wired functions in dedicated integrated circuits (without a computer program), and/or in software, for example by one or more computer programs intended to be executed by one or more computers each comprising, d on the one hand, one or more memories for storing data files and one or more of these computer programs and, on the other hand, one or more processors associated with this or these memories and intended to execute the instructions of the or computer programs stored in the memory(s) of this computer.

It will also be noted that the invention is not limited to the embodiments described above. It will indeed appear to those skilled in the art that various modifications can be made to the embodiments described above, in the light of the teaching which has just been disclosed to them. In the detailed presentation of the invention which is made above, the terms used must not be interpreted as limiting the invention to the embodiments set out in the present description, but must be interpreted to include therein all the equivalents whose provision is within the reach of those skilled in the art by applying their general knowledge to the implementation of the teaching which has just been disclosed to them.

Claims (10)

Method (300) for designing a signature generator (204A) intended to provide a signature (SG) of an entity (E) from a set of statistical characteristics (V) of dated actions of this entity ( E) in a computer infrastructure (100), the method comprising:

• obtaining (309) a drivable machine (202) comprising at least:
  • an upstream neural network (204A) intended to provide a signature (SG) of an entity (E) from a set of statistical characteristics (V) of dated actions of this entity (E) in a computing infrastructure ( 100), and
  • a classifier (204B) intended to provide an entity prediction (E*) from the signature (SG) provided by the upstream neural network (204A);
• obtaining (306) training data comprising sets of statistical characteristics (V) of dated actions, each associated with an entity (E) having carried out these actions in the computing infrastructure (100); And
• the supervised training (310) of the trainable machine (202) from the training data so that the trainable machine (202) correctly predicts the entities (E) associated with the sets of statistical characteristics (V) of the data of coaching ;

the method (300) being characterized in that the supervised training is also carried out so that the trainable machine (202) gathers the signatures (SG) of each of the entities (E) associated with the sets of statistical characteristics (V) of the training data around a center associated with this entity (E),
and in that it further comprises:

• providing (314) the signature generator (204A) including the upstream neural network (204A) after training.

Method according to claim 1, in which the center is a barycentre, for example an isobarycentre, of the signatures (SG) of the entity (E) with which this center is associated. A method according to claim 1 or 2, wherein the supervised training uses a total loss function (L _total ) using a first loss function (L _ID ) associated with the entity prediction and a second loss function (L _C ) associated with the grouping of signatures (SG). A method according to claim 3, wherein the total loss function (L _total ) uses a linear combination of the first and second loss functions (L _ID , L _C ). A method according to claim 4, wherein the linear combination has a coefficient for at least one of the first and second loss functions (L_ID, I_VS), this coefficient being a hyperparameter, and comprising:

• supervised training (310) of the trainable machine (202) from training data for multiple sets of hyperparameters;
• for each set of hyperparameters, analyzing the signatures obtained to produce a performance evaluation; And
• the selection of hyperparameters giving the best performance evaluation.

A method as claimed in any one of claims 1 to 5, wherein the trainable machine (202) comprises a global neural network (204) comprising N layers of neurons, the upstream neural network (204A) comprising the first N – k layers and the classifier (204B) having the last k layers, k being greater than or equal to one. A method according to any of claims 1 to 6, wherein the supervised training is further performed such that the trainable machine (202) performs one or more other tasks. Method (500) for detecting abnormal behavior of an entity (E) comprising:

• supplying (506) at least one set of statistical characteristics (V ₁ …V _K ) of dated actions of the entity (E) in a computing infrastructure (100) to a signature generator (204A) designed to after a process according to any one of claims 1 to 7;
• the supply (508) by the signature generator (204A) of a signature (SG ₁ …SG _K ) of the entity (E) for each set of statistical characteristics (V ₁ …V _K );
• the comparison (512) of a datum (D*) resulting from the signature(s) (SG ₁ ...SG _N ) supplied by the signature generator (204A) with at least one reference datum (D); And
• the detection (512) of a normal or abnormal behavior of the entity (E) from the comparison.

Computer program downloadable from a communication network and/or recorded on a computer-readable medium and/or executable by a processor, characterized in that it comprises instructions for the execution of the steps of a method according to any of claims 1 to 8, when said program is executed on a computer. System (200) for designing a signature generator (204A) intended to provide a signature (SG) of an entity (E) from a set of statistical characteristics (V) of dated actions of this entity ( E) in an IT infrastructure (100), comprising:

• a drivable machine (202) comprising at least:
  • an upstream neural network (204A) intended to provide a signature (SG) of an entity (E) from a set of statistical characteristics (V) of dated actions of this entity (E) in an IT infrastructure ( 100), and
  • a classifier (204B) intended to provide an entity prediction (E*) from the signature (SG) provided by the upstream neural network (204A);
• a training device (207) adapted to train the trainable machine (202) in a supervised manner from training data comprising sets of statistical characteristics (V) of dated actions, each associated with an entity (E) having performing these actions in the computing infrastructure (100), such that the trainable machine (202) correctly predicts the entities (E) associated with the statistical feature sets (V) of the training data;

the system (200) being characterized in that the driving device (207) is further adapted to drive the drivable machine (202) such that the drivable machine (202) gathers the signatures (SG) of each of the entities ( E) associated with the sets of statistical features (V) of the training data around a center associated with this entity (E), and in that the signature generator (204A) includes the upstream neural network (204A) after coaching.